VulnerableCode Package Details - pkg:composer/symfony/http-kernel@5.3.12

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-q9nm-2b34-yked	Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.	CVE-2021-41267 GHSA-q3j3-w37x-hq2q

Vulnerability

Summary

Aliases

VCID-q9nm-2b34-yked

Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.

CVE-2021-41267
GHSA-q3j3-w37x-hq2q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:12:17.598233+00:00	GitLab Importer	Fixing	VCID-q9nm-2b34-yked	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2021-41267.yml	36.1.3
2025-07-01T14:30:47.148279+00:00	GHSA Importer	Fixing	VCID-q9nm-2b34-yked	https://github.com/advisories/GHSA-q3j3-w37x-hq2q	36.1.3
2025-07-01T12:19:17.018754+00:00	GithubOSV Importer	Fixing	VCID-q9nm-2b34-yked	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json	36.1.3